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Abstract. Production factories in which stable voltage is critical, e.g., 
electro-plating factory, require constantly stable voltage to minimize loss 
by adjusting incoming voltage in real time, even if low-quality electricity 
is supplied from outside. To solve such problem often being raised from 
the factories located in the area with unstable electricity supply, we de- 
signed N-M switching control system and verified its correctness using 
LTL model checking technique. 

1 Introduction 

Production under unstable electricity condition may cause serious loss of ex- 
pense, such as large amount of rejects, in factories that include processes requir- 
ing highly stable electricity. For example, professional precious metal plating 
companies require to keep stable voltage at all times they work. In case that 
such factories or companies are situated in the unstable power supply area, volt- 
age stabilization is raised more importantly. 

N-M switching control system was motivated to meet the requirement raised 
from a plating factory for eating utensil set [3] . The quality of electricity being 
supplied to the factory was not good, that is, some days low or high voltage elec- 
tricity was supplied. There was a manual voltage regulator switching between 
M levels in factory. When incoming voltage is too low or high, however, it was 
impossible to supply necessary voltage to the whole workplaces of the factory, 
even if operator switched up to maximum or minimum level. This is not a prob- 
lem that would be solved just by installing larger capacity regulator, because 
bandwidth of input voltage of each regulator is limited. 

From the standpoint of profit of the factory, it was better to produce only 
in workplaces which can be supplied with normal voltage by adjusting and dis- 
tributing incoming voltage in real time, rather than all workplaces were exposed 
to the production failure of acceptable goods. But, there was no voltage regu- 
lator meeting such special requirement (See Section 2 for more details), though 
numerous works were devoted to design and implement various types of stable 
voltage suppliers, e.g., [1, 2]. To solve the problem we designed N-M switching 
control system, shortly N-M system in this paper, by combining a PC with the 
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manual voltage regulator of the factory. N-M system is a real-time voltage nor- 
malization and distribution system that divides whole workplaces of factory into 
N sections, adjusts voltage height by switching between M levels, and supplies 
normalized voltage to sections according to the given priority. To the best of 
our knowledge, N-M system is an original work, and thus design verification is 
necessarily needed for the successful implementation of system at low cost. 

In this paper, we describe the working mechanism of N-M system and present 
a method to verify correctness of its design using LTL model checking technique. 
LTL (Linear-time Temporal Logic) is a kind of temporal logic having strong 
expressive power to specify time-dependant properties of real-time systems and 
LTL-based model checking technique is now widely used in verification of real- 
time systems [4, 5, 6, 7, 8]. Wc dont concentrate on describing the details of 
N-M system and the whole specifications of its requirements, rather focus on 
showing our method to verify N-M system for its time-dependant requirements 
using LTL model checking technique. 

2 Working Mechanism and Design Requirements 

In this section, wc describe working mechanism, implementation method and 
time-dependant requirements of N-M system. 

Whole workplaces of factory are divided into N sections Wi,W2, ■ ■ ■ ,Wn 
by considering relative independence of work. Power supply priority is assigned 
to each section according to the importance or processing order of products. 
For example, we may give highest priority to silver-plating workplace. For the 
convenience of description, we assume that Wi has higher priority than Wj if 
i < j. Voltage is adjusted at M levels Li,L2, ■ ■ ■ , Lm- There are three states for 
each level, that is, low voltage state I, normal voltage state n and high voltage 
state h. This standard is set by considering technical requirements of production. 

We briefly describe working mechanism of N-M system below. System starts 
control in level La where a = \M/2\ and does one of the following three behav- 
iors. 

— Increase voltage by switching level into L^+i, if the incoming voltage is low. 

— Supply electricity to section Wx, if the incoming voltage is normal. 

— Drop voltage by switching level into L^-i, if the incoming voltage is high. 

Let us now assume that system is in level Lm and current supplying sections 
are Wi,W2,...,W„. 

— Suspend electricity supply to W„, if the incoming voltage is low. 

— Supply electricity to section Wn+i, if the incoming voltage is normal. 

— Drop voltage by switching level into L^-i, if the incoming voltage is high. 

For the practical design and implementation, more items than described 
above must be considered. The purpose of the paper is to show verification 
method of N-M system, and thus we dont consider some details of the system. 
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Control of N-M system is realized using the values oi N+M+'3 bit string cor- 
responding to the sections Wi, W2, ■ ■ ■ , Wn, voltage adjustment level ii, L2, ■ ■ ■ , 
Lm and voltage states l,n,h in each level. For example, in case N — S and 
M = 2, bit value string 111 10 010 denotes that normal voltage is supplied to 
all sections by increasing voltage adjustment level to the maximum. 

The number of possible bit value string is 2^+^^+-^ for -I- Af -I- 3 bit string, 
but some bit value string does not occur in control. In the above case, bit strings 
010 01 010 and 010 11 001 do not occur. This is because system does not supply 
electricity to Wi+i unless Wi is supplied with electricity and voltage adjustment 
can not be in different level at the same time. Exact number of bit value strings 
occurring in control is {N + 1) x (4 x 7\f). This is not small number and it may 
fail to implement correct control system if we don't verify design. 

We only consider 8 requirements of N-M system for the purpose of the paper, 
though there are many other requirements to be verified. 

Di: System decreases work section by one, if the voltage state is low in 
maximum level. 

D2: System suspends electricity supply to all sections, if the voltage state is 
high in minimum level. 

-D3: System keeps current supplying sections and levels up by one, if voltage 
state is low and leveling up is possible. 

D^: System keeps current supplying sections and levels down by one, if volt- 
age state is high and leveling down is possible. 

Dr,: System increases work section by one, if voltage state is normal in current 
level. 

Dq: System keeps current supply, if all sections are supplied with electricity 
and voltage state is normal in current level. 

D7: System does not supply electricity to W^+i unless Wi is supplied with 
electricity. 

Dg,: It is possible to supply electricity to all sections. 

3 Verification of Design using LTL Model Checking 

In this section, we present our method to verify N-M switching control system 
for its requirements using LTL model checking technique. For this, we construct 
transition system model of N-M system and write LTL specifications of its re- 
quirements. Then we check satisfaction relation between model and specifications 
using LTL model checking tool NuSMV [9-11]. NuSMV (New SymboUc Model 
Verifier) was designed as an reliable verification of industrial sized designs and 
an research tool for formal verification techniques. NuSMV supports the analysis 
of specifications expressed in LTL and other temporal logic CTL. 

A transition system is a triple A4 = {S, T, L) consisting of a finite set 
S of states, a transition relation T C- S x S, a, labelling function L : S ^ 2^^ 
which assigns the set of atomic propositions to each state s € S. AP is the set of 
observable atoms of the system. Fig. [T] shows an example of transition system. 
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Fig. 1. A Transition System 



For LTL modeling of N-M system, we use the following atomic propositions. 

— Wi{i = 1, . . . , N): Section Wi is supplied with electricity. 

— Lj{j = 1, . . . , M): Voltage adjustment level is Lj. 

— I: Voltage is low in current level. 

— n: Voltage is normal in current level. 

— h: Voltage is high in current level. 

As we mentioned in Section 2, total number of states of N-M system is 
(A^ + 1) X (4 X M). It is difficult to draw complete transition system model of 
N-M system in a page. We only show a part of model in Fig. [2j 
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Fig. 2. Transition System Model of N-M Switching Control System 



A LTL formula (j) is built up from a finite set of atomic propositions, the 
propositional operators ^, A, V, — ^ and temporal modal operators X, F, G, U, W, R. 
Among the temporal operators, X, F and G are used in this paper. LTL formulas 
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are estimated on the path of transition system. Let sq — >■ si — >■ S2 — >■ . . . be a 
path of a transition system M.. 

— X(f) means that (j) has to hold at Si on the path. 

— F<f) means that (p eventually has to hold at a state Si{i > 1), somewhere on 
the path. 

— G(f) means that (j) has to hold at all states Si{i > 0) on the path. 

Let So be the initial state of a transition system M. and be a LTL formula. 
It is called that </) is satisfied by A^, denoted by A^, sq |= <t>i if holds on every 
path of which starts from sq- Requirements of N-M system can be specified 
with LTL operator G,X and F as follows. (Note that Dl,D'i,DA,Db and D7 
are formula schemata) 

£»i : G{Li MAW^A...AWi^ X{W^ A ... A Wi_i)) i = l,...,N 

D2 : G{Lm Ah^ X{-nWi A ... A -Wjv)) 

D3 : G{Lj AlAWiA...AWi^ X{Lj+i A VFi A . . . A Wi)) i = l,...,N 
and j = 1, . . . ,M - 1 

D4 : G{Lj AhAWiA...AWi^ X{Lj_i A A ... A Wi)) i = l,...,N 
and j = 2,...,M 

D5:G{nAWiA...AWi^ X{Wi A ... A Wi+i)) i = l,...,N-l 

D6:G{nAWiA...AWN^ X{Wi A ... A Wn)) 

Dr : G^{-nWiAWj) l<i<j<N 

Dg cannot be specified as a LTL formula directly. The LTL specification of 
the negation of Dg is as follows. 

D's : ^F{Wi A ... A Wn) 

Therefore, if Dg is not satisfied by a transition system, then Dg is satisfied 
by it and vice versa. 

Using temporal logic model checker NuSMV, we checked the satisfaction 
relation between transition system model and LTL specifications of N-M sys- 
tem. Through several executions of NuSMV and debugging, we could construct 
the transition system model of N-M system satisfying real-time requirements 
including Di, . . . , Dg. Using this model, we designed and implemented correct 
N-M switching control system meeting the requirement of factory. 
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4 Conclusion 

Temporal logic model checking is very useful technique to design and imple- 
ment real-time systems like N-M switching control system. We believe that N-M 
switching control system and its verification method presented in the paper can 
be used in other cases of designing and verifying control systems. 
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